Comment 4 for bug 2039741

We found a way in... (https://lemmy.world/post/7029429)

It seems that in key-slot 1 of each of the two LUKS containers, that key is translated from the recovery key into a translated hex key, that is stored within key-slot 1 of each of the containers.

https://<email address hidden> came up with a GO script:
https://pastebin.com/WdFNRb7C

Derived from this post at the Forums of snapcraft:
https://forum.snapcraft.io/t/uc20-fde-boot-flow/27895/13

Which uses the original ParseRecoveryKey():
https://github.com/snapcore/secboot/blob/master/crypt.go

I had him modify the script to create a key.out key-file, as during my tests, it was found to be in raw hex format.

Using that key-file, I can unlock the LUKS containers, and add new keys to them. So now, there is a work-around to be able to add new passphrases, and be able to re-enroll a TPM with this type of failure.